Solved: Re: Splunk Events getting truncated/choppedoff at ...

vijayakumarkb · ‎03-22-2019

My Event logs in splunk are getting truncated in the front part.

Is it possible to spllit lines based on below condition.

[logLevel=ERROR] - 2019-03-22 08:00:04,697 +0000 --

log level can be ERROR OR INFO, either one will come in logs.

how to use LINE_BREAKER for this. I tired couple of examples from the posts, but it is not working.

Currently using as before, but not working, event are chopped of from the front.

SHOULD_LINEMERGE=false
TRUNCATE=5000000

Any help please!!

nickhills · ‎03-25-2019

Use this in your props.conf

SHOULD_LINEMERGE=false
LINE_BREAKER=(^)\[logLevel
TIME_PREFIX=^\[logLevel=\w+\]\s-\s
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%N3
TRUNCATE=10000 #(or remove this as it's the default)

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎03-25-2019

Use this in your props.conf

SHOULD_LINEMERGE=false
LINE_BREAKER=(^)\[logLevel
TIME_PREFIX=^\[logLevel=\w+\]\s-\s
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%N3
TRUNCATE=10000 #(or remove this as it's the default)

If my comment helps, please give it a thumbs up!

vijayakumarkb · ‎03-25-2019

Thanks for the Answer Nick..
I added the solun, but it got all the events clubbed into one event.

for Eg :

[logLevel=ERROR] - 2019-03-25 01:39:24,980 +0000 -- "ConsumerService-9-ConnectionPool-Thread-24" com.DeliveryHandler -- message="INFO: First Time" timestamp="1553477964923"
[logLevel=ERROR] - 2019-03-25 01:39:52,094 +0000 -- "ConsumerService-9-ConnectionPool-Thread-25" com.DeliveryHandler -- message="INFO: First Time" timestamp="1553477992048"

both above events got merged and came as single event.

vijayakumarkb · ‎03-25-2019

should i be using %Y-%m-%d %H:%M:%S:%3N

nickhills · ‎03-25-2019

Tbh, I’m not sure how , is handled vs . in the time format. Worth a try, I can’t see what else is wrong.
I presume the events are split by line in the actual source file?

If my comment helps, please give it a thumbs up!

harsmarvania57 · ‎03-25-2019

Use below props.conf, its almost same as provided by @nickhillscpl but timestamp config is fixed.

[yoursourcetype]
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N %z
TIME_PREFIX=^\[logLevel=\w+\]\s-\s
MAX_TIMESTAMP_LOOKAHEAD=29
LINE_BREAKER=(^)\[logLevel

yadavmalay · ‎08-12-2020

Logs are truncated at beginning

e WorkDay CW Data" transaction_start_epoch="1597257375.0102034" execution_id="87e92c54-dcca-11ea-8c01-0050568d9e34" browser="HeadlessChrome" browser_version="84.0.4147" os="Windows" os_version="10" ip="10.24.85.121" title="Horizon ACM - Custom Task: Synchronize Data" app_name="XYZ

Below are the props.conf file I am using at universal forwarder side.

SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N %z
TIME_PREFIX=^\[logLevel=\w+\]\s-\s
MAX_TIMESTAMP_LOOKAHEAD=29
LINE_BREAKER=(^)\[logLevel

Any suggestion please.

vijayakumarkb · ‎03-25-2019

Thanks Harsh for the help. let me test it

vijayakumarkb · ‎03-25-2019

let me try with %Y-%m-%d %H:%M:%S,%N3

vijayakumarkb · ‎03-25-2019

sorry %Y-%m-%d %H:%M:%S,%3N

vijayakumarkb · ‎03-25-2019

I presume the events are split by line in the actual source file?

Yes events are split

nickhills · ‎03-22-2019

Yikes, you don't want events that are 5MB each!

If my comment helps, please give it a thumbs up!

vijayakumarkb · ‎03-22-2019

Eg :

[logLevel=ERROR] - 2019-03-22 11:30:04,100 +0000 -- "ConsumerService-10-Thread-9" MasterService -- requestId="abc234" requestType="Register" message="Reporting - Success."
[logLevel=ERROR] - 2019-03-22 11:30:04,201 +0000 -- "ConsumerService-10-Thread-7" MasterService -- message="INFO SEND"

it is not coming as two separate events in Splunk always. getting trimmed of like as below

erService-10-Thread-29" MasterService -- requestId="abc234" requestType="Register" message="Reporting - Success."

nickhills · ‎03-22-2019

Can you post some example events, it sounds like you just need to configure your breaking settings correctly

If my comment helps, please give it a thumbs up!

vijayakumarkb · ‎03-25-2019

[logLevel=ERROR] - 2019-03-22 11:30:04,100 +0000 -- "ConsumerService-10-Thread-9" MasterService -- requestId="abc234" requestType="Register" message="Reporting - Success."
[logLevel=ERROR] - 2019-03-22 11:30:04,201 +0000 -- "ConsumerService-10-Thread-7" MasterService -- message="INFO SEND"

it is not coming as two separate events in Splunk always. getting trimmed of like as below

erService-10-Thread-29" MasterService -- requestId="abc234" requestType="Register" message="Reporting - Success."

vijayakumarkb · ‎03-25-2019

Any help for this

Splunk Events getting truncated/choppedoff at the begining

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...